As we’ve already mentioned in the previous modules, cyberthreats result in significant losses in companies of any size and industry. In module four, we’ll give you some phishing email examples from real life phishing campaigns, show you the recovery process, and lessons learned.
Phishing email examples
Case 1: Loss of $407,000 by a Hospital
As per a contract for emergency services coverage, a rural hospital partnered with ED group. Every month, they received an email invoice and the hospital paid $200.000 and more for the services. The phishing emails continued for a couple of months until somebody discovered that ED group never sent any payment requests via email. As a result of this scam, the hospital lost $407,000.
Human error is the door to fraudulent activity in all phishing attack examples. However, in this case, there’s a sure way the hospital personnel could at least recognize the scam. The payment for the first month got rejected once from ED group’s side due to a blocked account. Once the money returned, the hospital sent another payment to a new bank account number.
After this incident, the hospital made cybersecurity training and two-factor email authentications for all managers a priority. They also changed the transfer procedures, including a mandatory oral confirmation from a given vendor for financial transactions.
First of all, this example of phishing email, shows how important it is to pay attention to the email sender and verify the address, especially while dealing with large amounts of money.
Case 2: CEO Fraud in Upsher-Smith Laboratories
CEO Fraud is an example of phishing email that exploits the name of the company’s CEO tricking employees into disclosing information or making financial transfers. In the case of Upsher-Smith Laboratories, the attackers made the Accounts Payable Coordinator to urgently transfer around $50 million in nine different transactions to the “CEO’s account.” Of course, the bank account turned out to belong to the cybercriminals.
This is one of those phishing examples, where the employee is to blame the most. However, other issues are in play here. The transfers were large and frequent, so a bank representative should’ve called to verify the deal before letting them through. On the other hand, if the company had a set procedure regarding large transactions, an unnecessary loss could be prevented.
Although the process got interrupted at $39 million, the damage was already done. Sure enough the company couldn’t recover the money. The company learned an expensive lesson about confirming unusual requests even if they’re urgent and come from the CEO. Plus, it might be challenging and time consuming to set procedures, but it has tremendous value.
Overall, the outcomes from both of these examples of phishing email could be avoided if the company had strong guidelines and enough cybersecurity know-how.
In the next module, you’ll learn more about another social engineering attack type, where the victim might not lose money outright, but whole networks may be infected.